BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Federal Trade Commission Loses Data Security Ruling

From: Jake <jake () riskbasedsecurity com>
Date: Tue, 17 Nov 2015 13:55:56 -0500
http://blogs.wsj.com/law/2015/11/16/federal-trade-commission-loses-data-security-ruling/

The Federal Trade Commission’s data-security enforcement efforts have
received a setback—at the hands of the commission’s own in-house
judge.

Administrative Law Judge D. Michael Chappell late Friday dismissed a
long-running and sometimes bitter case involving LabMD, a former
medical testing  company the FTC accused of failing to provide
reasonable or appropriate cybersecurity protections for patient data.

The FTC’s civil case against LabMD had focused largely on the
potential exposure of a 1,718-page company report that contained
names, dates of birth, social security numbers and other information
about 9,300 patients.  Online security firm Tiversa found the document
on a peer-to-peer file-sharing network in 2008.

After discovering the file, Tiversa contacted LabMD and sought to sell
the company data security services, which the firm declined, according
to the judge’s ruling.  Tiversa later reported to the FTC that LabMD
had exposed sensitive patient information, the ruling said.

Judge Chappell’s lengthy decision against the FTC said the commission
had not proven that LabMD’s handling of patient data had caused, or
was likely to cause, substantial harm to consumers.

The judge said it didn’t appear that anyone other than Tiversa ever
accessed or viewed the patient document.  The FTC investigation had
not “identified even one consumer that suffered any harm as a result
of [LabMD’s] alleged unreasonable data security,” the judge said.  And
because no one had been harmed in the years since the file was
exposed, it’s hard to believe that someone is likely to be harmed in
the future, Judge Chappell added.

The judge suggested that it was potentially problematic for the FTC to
rely upon information provided by Tiversa because the firm has a
commercial interest in exposing sensitive files on companies’ computer
networks and then offering its services to help those businesses
protect against future infiltrations.

Judge Chappell also was directly critical of Tiversa, saying company
CEO Robert Boback was “not a credible witness” and had a motivation to
retaliate against LabMD because the company had refused to buy
Tiversa’s remediation services.

Tiversa said in a statement, “We have acted appropriately and legally
in every way with respect to LabMD.”

LabMD, a Georgia-based firm, went out of business in early 2014.  The
company’s owner and chief executive, Michael Daugherty, has been an
unusually aggressive FTC critic, writing a book about his experiences
during the commission’s investigation, entitled “The Devil Inside the
Beltway.”

Mr. Daugherty said the FTC probe and lawsuit were costly, burdensome
and unfair, contributing to the company’s demise.  “Yeah we won, but
what did we win?  We’re dead,” he said.  The FTC, he said, “has way
too much lopsided power.”

Jessica Rich, director of the FTC’s Bureau of Consumer Protection,
said in a statement, “Commission staff is disappointed in the ruling
issued by the administrative law judge in this case. We are
considering whether to file an appeal.”

Because the case took place in administrative litigation, any appeal
would first be heard by FTC commissioners, who would review Judge
Chappell’s ruling.

Most of the FTC’s data security cases have resulted in settlements in
which companies pledge to implement more robust cybersecurity
practices.  In one other closely-watched litigated case, the FTC has
won notable rulings against Wyndham Worldwide Corp.WYN -0.15%, which
has contested the commission’s powers to police cybersecurity. Wyndham
has denied the FTC’s allegations and the case is ongoing.

The LabMD ruling “is a pretty stunning defeat for the FTC,” said
lawyer Craig Newman of Patterson Belknap Webb & Tyler LLP, who has
represented companies in data security matters.  “The question is
whether companies will now take a tougher stance when faced with an
FTC enforcement action.”
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!
Previous By Date Next
Previous By Thread Next

Current thread: